Enterprises have become increasingly dependent on computer network infrastructures to provide services and accomplish mission-critical tasks. Indeed, the performance, security, and efficiency of these network infrastructures have become critical as enterprises increase their reliance on distributed computing environments and wide area computer networks. To that end, a variety of network devices have been created to provide data gathering, reporting, and/or operational functions, such as firewalls, gateways, packet capture devices, bandwidth management devices, application traffic monitoring devices, and the like. For example, the TCP/IP protocol suite, which is widely implemented throughout the world-wide data communications network environment called the Internet and many wide and local area networks, omits any explicit supervisory function over the rate of data transport over the various devices that comprise the network. While there are certain perceived advantages, this characteristic has the consequence of juxtaposing very high-speed packets and very low-speed packets in potential conflict and produces certain inefficiencies. Certain loading conditions degrade performance of networked applications and can even cause instabilities which could lead to overloads that could stop data transfer temporarily. In response, certain data flow rate control mechanisms have been developed to provide a means to control and optimize efficiency of data transfer as well as allocate available bandwidth among a variety of business enterprise functionalities. For example, U.S. Pat. No. 6,038,216 discloses a method for explicit data rate control in a packet-based network environment without data rate supervision. Data rate control directly moderates the rate of data transmission from a sending host, resulting in just-in-time data transmission to control inbound traffic and reduce the inefficiencies associated with dropped packets. Bandwidth management devices allow for explicit data rate control for flows associated with a particular traffic classification. For example, U.S. Pat. No. 6,412,000, above, discloses automatic classification of network traffic for use in connection with bandwidth allocation mechanisms. U.S. Pat. No. 6,046,980 discloses systems and methods allowing for application layer control of bandwidth utilization in packet-based computer networks. For example, bandwidth management devices allow network administrators to specify policies operative to control and/or prioritize the bandwidth allocated to individual data flows according to traffic classifications. In addition, network security is another concern, such as the detection of computer viruses, as well as prevention of Denial-of-Service (DoS) attacks on, or unauthorized access to, enterprise networks. Accordingly, firewalls and other network devices are deployed at the edge of such networks to filter packets and perform various operations in response to a security threat. In addition, packet capture and other network data gathering devices are often deployed at the edge of, as well as at other strategic points in, a network to allow network administrators to monitor network conditions.
Enterprises network topologies can span a vast array of designs and connection schemes depending on the enterprise's resource requirements, the number of locations or offices to connect, desired service levels, costs and the like. A given enterprise often must support multiple LAN or WAN segments that support headquarters, branch offices and other operational and office facilities. Indeed, enterprise network design topologies often include multiple, interconnected LAN and WAN segments in the enterprise's intranet, and multiple paths to extranets and the Internet. Enterprises that cannot afford the expense of private leased-lines to develop their own WANs, often employ frame relay, or other packet switched networks, together with Virtual Private Networking (VPN) technologies to connect private enterprise sites via a service provider's public network or the Internet. Some enterprises also use VPN technology to create extranets with customers, suppliers, and vendors. These network topologies often require the deployment of a variety of network devices at each remote facility. In addition, some network systems are end-to-end solutions, such as application traffic optimizers using compression tunnels, requiring network devices at each end of a communications path between, for example, a main office and a remote facility.
The deployment, configuration and management of enterprise networks often requires specially-trained personnel tasked with installing and maintaining the network devices implementing or supporting the networks. For example, after physical installation of the network device, a network administrator typically must access a configuration interface to provide initial configuration information, such as an IP address and subnet mask. Accordingly, the cost and ability to manage and maintain enterprise networks can become problematic, especially for enterprises with a number of remote facilities. For example, the deployment and configuration of a given network device often requires an enterprise, or network service provider, to send out skilled personnel to perform the required installation and configuration tasks. In large enterprise networks, the ability to, as well as the costs associated with, deploying a large number of network devices can become problematic. While some network devices include functionality (such as Layer 2 discovery mechanisms) allowing them to be automatically configured by a network management device after physical installation on a network, these automated deployment mechanisms are typically limited to local installations where the configuring system and the newly-deployed network device are on the same subnetwork. Given the vast array of enterprise network topologies discussed above, methods, apparatuses and systems are required to facilitate automated, remote deployment of network devices. Embodiments of the present invention substantially fulfill this need. The deployment, configuration and management of enterprise networks further requires network security, which may entail encryption of key network configuration parameters or messages. As shown by those of skill in the art, there are two primary types of encryption algorithms, known as “symmetric encryption” or “asymmetric encryption” algorithms. Symmetric cryptography, also known as “secret key cryptography,” is a system in which a single secret key is used to encrypt or decrypt a message. It is symmetric in the sense that both sender and receiver have the same key, and senders can decrypt any message sent to the receiver using the secret key. Asymmetric cryptography is also known in the art as “public-key cryptography.” A common public-key system is known as the “RSA public key cryptosystem,” See Thomas H. Cormen, Charles E. Leiserson, Robert L. Rivest, and Clifford Stein, Introduction to Algorithms, Second Edition, MIT Press and McGraw-Hill, 2001, ISBN 0-262-03293-7, Section 31.7: The RSA public-key cryptosystem, pp. 80-81. In a public-key cryptography system, a user has two keys, a private key and a public key. The private key is kept secret, while the public key may be widely distributed to various potential senders. The private key cannot be determined in a practical manner from the public key, and a message encrypted with the public key can be decrypted only with the private key. Thus, access to keys and messages is asymmetric, in that the senders have a different key from the receiver, and only the receiver can decrypt the various sent messages. This ensures the various users of confidentiality. Various asymmetric encryption algorithms are described in Alfred Menezes, Paul C. van Oorschot, and Scott A. Vanstone, Handbook of Applied Cryptography, CRC Press, October 1996, ISBN 0-8493-8523-7, and R. Rivest, A. Shamir, and L. Adleman, Method for Obtaining Digital Signatures and Public-Key Cryptosystems, Communications of the ACM, Vol. 21 (2), pp. 120-126, 1978.